Linux Host

RPC Client

# Authenticate using username and password to domain Marvel
rpcclient -U "Marvel\hsaad%P@ssw0rd" 10.0.2.100

# Authenticate using Null Session
rpcclient -U "" -N 10.0.2.6

# Enumerate Domain Info
> enumdomains
> querydominfo
> srvinfo

# Enumerate Domain Users
> enumdomusers
> queryuser hsaad // OR through rid {0x501}

# Enumerate Password Policy
> getdompwinfo

# Enumerate Domain Groups
> enumdomgroups
> enumalsgroups domain
> querygroup 0x5a0a

# Enumerate Local Groups
> enumalsgroups builtin

# Enumerate Groups Members
> querygroupmem 0x5a0
> queryaliasmem builtin|domain 0x5a0

# Enumerate Users Groups
> queryusergroups 0x501

# Enumerate the members of administrators and RDP local groups
> queryaliasmem builtin 0x220 // Administrators group members
> queryaliasmem builtin 0x22b // Remote Desktop Users group members

SMBclient

# Test Open Shares
smbclient -U "Marvel\hsaad%P@ssw0rd" -L 10.0.2.6

# Access Shares
smbclient -U "Marvel\hsaad%P@ssw0rd" \\\\172.31.2.112\\SYSVOL

# Script to Automate
for ip in $(cat ips.txt);do
(smbclient -U "Marvel\hsaad%P@ssw0rd" -L $ip | grep Disk | cut -d " " -f 1 | sed 's/\t//' | while read shares;do echo "\\\\\\\\$ip\\\\"$shares | tee -a shares.txt;done) & sleep 1
done
cat shares.txt | while read share;do
echo $share >> shares-files.txt
smbclient -U "Marvel\hsaad%P@ssw0rd" $share -c "dir" | tee -a shares-files.txt;
done

Enum4Linux

enum4linux -u Marvel/hsaad -p P@ssw0rd -a 10.0.2.100 # enumerate all
enum4linux -u Marvel/hsaad -p P@ssw0rd -U 10.0.2.100 # enumerate users
enum4linux -u Marvel/hsaad -p P@ssw0rd -G 10.0.2.100 # enumerate groups
enum4linux -u Marvel/hsaad -p P@ssw0rd -P 10.0.2.100 # enumerate password policy
enum4linux -u Marvel/hsaad -p P@ssw0rd -S 10.0.2.100 # enumerate shares
enum4linux -a 10.0.2.100 # enumerate all using null session if exists

CrackMapExec

# Find local admin on IP list based on username and password
for line in $(cat IP.txt);do
crackmapexec smb $line -d Marvel.local -u hsaad -p P@ssw0rd | tee -a crack.log & sleep 2;
done

Hydra

# Find RDP access on IP list based on username and password
for line in $(cat IP.txt);do
hydra -l hsaad -p P@ssw0rd -m Marvel.local -t 1 $line rdp | tee -a hydra.log & sleep 2;
done

PreviousBloodHound NextInternal Applications

Last updated 3 years ago